Firewall blocks port that is allowed in the rules list

hoba

You have to show us the nat rule and the firewallrule or we can't help you.

A Former User

What is the best way? A Printscreen or the config files?

thx mike

A Former User

here are the xml part form the NAT Section

• <nat><ipsecpassthru>- <rule><protocol>tcp</protocol>
    <external-port>22</external-port>
    <target>192.168.1.16</target>
    <local-port>22</local-port>
    <interface>wan</interface>
    <descr>SSH Server Enif</descr></rule>
• <rule><protocol>tcp</protocol>
    <external-port>80</external-port>
    <target>192.168.20.14</target>
    <local-port>80</local-port>
    <interface>wan</interface>
    <descr>Web Server Scutum</descr></rule>
• <rule><protocol>udp</protocol>
    <external-port>5060-5062</external-port>
    <target>192.168.1.15</target>
    <local-port>5060</local-port>
    <interface>wan</interface>
    <descr>SIP</descr></rule>
• <rule><protocol>udp</protocol>
    <external-port>10000-10200</external-port>
    <target>192.168.1.15</target>
    <local-port>10000</local-port>
    <interface>wan</interface>
    <descr>RTP</descr></rule>
• <advancedoutbound>- <rule>- <source>
    <network>192.168.1.0/24</network>

<sourceport><descr>LAN –> WAN</descr>
  <target><interface>wan</interface>

• <destination><any></any></destination>
    <natport></natport></target></sourceport></rule>
• <rule>- <source>
    <network>192.168.30.0/24</network>

<sourceport><descr>WLAN --> WAN</descr>
  <target><interface>wan</interface>

• <destination><any></any></destination>
    <natport></natport></target></sourceport></rule>
• <rule>- <source>
    <network>192.168.20.0/24</network>

<sourceport><descr>DMZ --> WAN</descr>
  <target><interface>wan</interface>

• <destination><any></any></destination>
    <natport></natport></target></sourceport></rule>
    <enable></enable></advancedoutbound></ipsecpassthru></nat>

and rules:

• <filter>- <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><max-src-conn-rate>1</max-src-conn-rate>
    <max-src-conn-rates>10</max-src-conn-rates>
    <protocol>tcp</protocol>
• <source>
    <any>- <destination><address>192.168.1.16</address>

<port>22</port></destination>
  <log><descr>NAT SSH Server Enif</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
• <source>
    <any>- <destination><any><port>443</port></any></destination>
    <log><descr>OpenVPN Server ( spez. inport https )</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>
• <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
• <source>
    <any>- <destination><address>192.168.20.14</address>

<port>80</port></destination>
  <descr>NAT Web Server Scutum</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

• <**rule>
    <type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>udp</protocol>

• <source>
    <network>wanip</network>

• <destination><address>192.168.1.15</address>

<port>5060-5062</port></destination>
  <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes>**

• <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>

• <source>
    <network>wanip</network>

• <destination><network>opt2</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

• **<rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>udp</protocol>

• <source>
    <any>- <destination><address>192.168.1.15</address>

<port>10000-10200</port></destination>
  <log><descr>NAT RTP</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>**

• <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os>- <source>
    <network>opt2</network>

• <destination><network>lan</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os>- <source>
    <network>opt1</network>

• <destination><network>wanip</network></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>

• <source>
    <network>opt1</network>
    <port>22</port>

• <destination><network>lan</network>
    <port>22</port></destination></os></statetimeout></max-src-states></max-src-nodes></rule>

• <rule><type>pass</type>
    <descr>Default LAN -> any</descr>
    <interface>lan</interface>

• <source>
    <network>lan</network>

• <destination><any></any></destination></rule>

• <rule><interface>enc0</interface>
    <type>pass</type>

• <source>
    <any>- <destination><any></any></destination>
    <descr>Permit IPSEC traffic.</descr>
    <statetype>keep state</statetype></any></rule></filter>

thx mike

hoba

You should forward and allow tcp for the 506x ports too. The higher ports should be udp only but depending on the implementation it might need tcp there too ( http://en.wikipedia.org/wiki/Session_Initiation_Protocol ).

A Former User

Ok

I change this, but for me total unclear is why pfsense block my traffic that I want to pass?

thx mike

hoba

Show us the exact line of the block that you thin that should be a pass. Your firewallrules are somehow wrong. There is no other reason why it should block traffic besides of that.

A Former User

hi

that's the Bold on's in the previous post, here only this on:

NAT:

<rule><protocol>udp</protocol>
  <external-port>5060-5062</external-port>
  <target>192.168.1.15</target>
  <local-port>5060</local-port>
  <interface>wan</interface>
  <descr>SIP</descr></rule>

Rules:

<rule><type>pass</type>
  <interface>wan</interface>
  <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
  <os><protocol>udp</protocol>

• <source>
    <network>wanip</network>

• <destination><address>192.168.1.15</address>

<port>5060-5062</port></destination>
  <log><descr>NAT SIP</descr></log></os></statetimeout></max-src-states></max-src-nodes></rule>

thx mike

hoba

I was able to read the bold text the first time already  ;)

I wanted to see the exact line of the block from status>systemlogs, firewall.

A Former User

sorry

here the line:

"Mar 17 20:35:36  WAN  62.65.128.62:5060  192.168.1.15:5060  UDP"

mike

hoba

On the portforward, do you happen to have external adress set to "any" instead of the interface IP?

A Former User

I try it, but nothing changed:

WAN  TCP/UDP  5060 - 5069  192.168.1.15 (ext.: any) 5060 - 5069 SIP

Mar 17 21:34:34  WAN  62.65.128.62:5060  192.168.1.15:5060  UDP

mike

hoba

external interface has to be the interface IP. "any" is for rather special needs and should not be used usually. I'm out of clues  ::)